Re: key topics to include in security awareness training materials

[Melissa Guenther <mguenther () COX NET>]

I design Security Awareness CBT's and am sending the TOC for three different
versions.  Hope this helps
Melissa

CBT 1
Learning Objectives
.       To explain your role in information security to others
.       To be able to explain why it's important to read, understand and
comply with the Electronic Networks Usage Policy (ENUP)
.       To identify ways in which you can protect information from loss,
disclosure or misuse
.       To be able to explain how  to protect and secure your working
environment
.       To detect signs of trouble and react appropriately

Modules
.       Company Information Security
.       Electronic Networks Usage Policy
.       Protecting Sensitive Information
.       Protecting Your Password
.       Selecting Your Password
.       Protecting Your Computer From Viruses
.       Securing E-mail
.       Secure Use of the Internet
.       Avoiding Social Engineering
.       Protecting Laptops & Other Portable Devices
.       Working at Home
.       Where to Get Help and Wrap Up






























CBT 2
Home users need to understand the basics of security:
-Virus Issues
-E-mail Safety
-Passwords
-Digital Rights
-Patch Management
-Firewalls and Privacy
-Disaster Recovery

At first glance these sound like some very complex and complicated concepts,
but when they are broken down, they are really quite common sense
activities.

For virus issues, you need to make sure that you have an anti-virus program
installed, but equally important, you need to make sure that the anti-virus
program is updated quite frequently.  Anti-virus signature or data files
contain the new vaccinations to the latest computer viruses, worms and
Trojan horse programs that were created after the original anti-virus
software was released.  The immunization shots you received as a child
protect you from the mumps, rubella and measles, but they do nothing to
protect you from the flu, anthrax, rabies or small pox.   Luckily for us,
updating the computer anti-virus signature files is much easier and much
less painful than getting jabbed with a sharp needle.

E-mail safety:  taking precautions with your e-mail will help reduce the
instances of computer viruses attacks.  Just as you take care when opening
the door to strangers, you need to take the same sort of care with opening
unsolicited e-mail or spam.  Since a majority of spam messages are
automatically created and addressed by scripts run on computers, do not ever
reply to spam, since this will give the spammers a valid e-mail address and
will result in much more spam.  Other considerations for e-mail have to do
with attachments and links.  Never open attachments unless they have been
scanned by an updated anti-virus package. If you have not requested a file,
be extra suspicious, since this is the most common method of spreading
computer viruses.  Unfortunately, it isn't even safe to click on links
anymore. There are several common vulnerabilities that can compromise simple
URLs.

Think of your passwords as your keys. Just as you wouldn't have the same key
to open every door, whether your front door, your car door or your safety
deposit box.  Just as key and locks have evolved into sophisticated
mechanisms, your passwords need to be sophisticated as well. Just as you
take reasonable care with your keys, you need to take reasonable care with
your passwords. Just as you wouldn't think of taping the key to your front
door to the door, you should never think to write your password down on a
yellow sticky note and paste it to your monitor.  When you choose a good
strong password, choose a word that is at least eight characters long, avoid
commonly used words, purposely misspell words, use nonsensical or made-up
words, and always add numbers and special characters to your password.
Avoid these common pitfalls: never use your Social Security Number, the name
of a loved one, your favorite sports team, favorite hobbies, or common
dictionary words. An example of a strong password could be "~Grulp00l<."
Example of a bad or week password are "Mariners" or "Fluffy" since these
could be easily guessed since it is well know that you hold season baseball
tickets, or that your beloved pet bunny's name is Fluffy.

Digital Rights or piracy means that if you are going to run software, you
need to purchase that software.  Civil penalties for illegal software run
into the hundreds of thousands of dollars.  Criminal penalties for illegal
software include steep fines and jail time.

Patch management is just a fancy way of saying that you need to have to
install your patches in a timely manner.  Just as new viruses are being
released, flaws are found in the software you have installed on your
computer system.  Software makers periodically release software patches for
everything ranging from operating systems to browsers to games. It is
important to install these patches when they are released to protect your
system.

Firewalls protect you from the heat. In a fireplace, that firewall can
protect the rest of your house. In your car, the firewall protects you from
the engine heat, and provides some structural support for the car.  A
computer firewall performs basically the same function electronically - it
protects your system from some of the heat from the Internet.  Modern
operating systems have integrated firewall systems and there are a number of
personal firewalls available.

Privacy isn't just about protecting us from identity theft, although that is
defiantly one of the more high profile examples of the need to protect our
personal and private information.  We now have laws to protect our health
information, in the form of the new HIPPA regulations.  We are all aware of
identity theft these days. There are TV commercials from financial
institutions touting the dangers of fraud, and it seems like hardly a day
goes by without a major news story featuring either a new scam or a victim
who is trying to clear their good name. Some of the ways to protect your
personal information include not having your Social Security Number, SSN, or
your driver's license number printed on your checks. Buy a cross cut
shredder and shred all documents that contain important information, such as
credit card numbers, your SSN, or other related important information.
Never respond to e-mails requesting your account numbers or passwords, or
other similar information.

The recent fires and floods that have held our collective attention serve as
reminders that all households need to have a disaster recovery and
contingency plan. While businesses need to be concerned with safeguarding
their assets, private individuals need to create plans as well. These plans
should include a complete household inventory, plans for children and pets,
meeting locations, and 72-hour emergency packs should be created and
reviewed frequently.  In the parts of the country where there are harsh
winters, emergency packs should be placed in cars as well.  In many fires
where people loose everything, many time the victims can't even give the
insurance companies complete inventories of the household good that were
lots. Copies of important documents should be stored in a safe location,
such as a safety deposit box.  Computer data should been frequently backed
up, and a copy should be kept with your other documents.

In the Workplace
Workers security includes not only physical security, making sure that
employees have a safe workplace, but it also includes the implementation of
security policies and procedures.  Some of these policies include dealing
with unauthorized access, emergency preparedness and contingency planning,
and dealing with pornography to prevent sexual harassment incidents.
Workplace violence also needs to be addressed because servers and laptops
are easily replaced, the knowledge and experience your workers hold are much
more valuable.

All companies have proprietary information whether you are Coca-Cola or the
Federal Government. As a member of the management team, protecting these
trade secrets are part of your responsibility. It is incumbent upon you to
make sure your security team is well funded and well trained.
The reception area is the first line in defense for many companies, and as
such they need to add to the basic users' skill set:

Physical security concerns itself with such things as doors, locks, guards,
identification badges and other similar physical barriers.  The reception
area is really the fist line of defense for physical security and social
engineering issues.

Social Engineering refers to people bluffing their way past security
checkpoints, whether they are calling and impersonating someone with
authority, or impersonating a maintenance worker in order to gain physical
access to secured areas.  Always verify the identification of all visitors,
and never give out sensitive information over the phone without positively
verifying the identity of the caller.

Management Needs
The "why" of security is different than the "how" of security. It is
important that Management has an understanding of security issues so that
they can make good management choices. Management is not only responsible
for the security of their facility, but most importantly, they are also
responsible for the security of their workers.

Executive Needs
When security works, nothing seems to happen. All too often this makes
security teams a target for the budget ax, since they are a cost center
instead of a revenue generating entity. While the payroll department does
not generate any revenue, very few companies would go without a mechanism to
pay workers.

We have all heard of anecdotes where senior management personnel are not
even capable of reading their own e-mail, let alone remembering their own
passwords. Such tasks are deemed to beneath their notice or abilities or
station.  If you had an off-shore bank account that was worth millions of
dollars, would you be bothered to remember that password? The security of
your company deserves no less attention or care.

When executives travel, they often take their laptops with them. These
laptops are a target of thieves, not so much for the intrinsic value of the
hardware. The real target is the information contained on those laptops.
Executives are privy to company secrets; some of those secrets could be very
damaging to their company if that information is made public. This
information could be financial information, product information, or even
corporate e-mails that could be very damaging if they fell into the wrong
hands.  Make sure that as part of your security policies and procedures you
cover laptop security.

The Gramm-Leach-Bliley Act http://www.ftc.gov/privacy/glbact/ "The Financial
Modernization Act of 1999, also known as the "Gramm-Leach-Bliley Act" or GLB
Act, includes provisions to protect consumers' personal financial
information held by financial institutions. There are three principal parts
to the privacy requirements: the Financial Privacy Rule, Safeguards Rule and
pretexting provisions.
"
Modules include:
Pornography: Pornography is problematic for several reasons. In a business
setting, pornography can result in sexual harassment lawsuits being filed if
a company does not have the policies and countermeasures in place to
restrict this activity.  From a technical perspective, pornographic sites
are often laden with various viruses, worm, or trojan horse programs.
Additionally, hacker sites often use porn pop-up adds to generate funds to
support their site. These pop-ups can literally generate more instances of
your browser than your system can handle.

Coding issues:  If your organization has any responsibility for writing or
maintaining computer code, then it is important that your development staff
understands and implement measures to write secure code.  One of the most
common security holes that could be eliminated is the buffer overflow, which
exists solely because of bad programming practices.

E-mail safety:  taking precautions with your e-mail will help reduce the
instances of computer viruses attacks.  Just as you take care when opening
the door to strangers, you need to take the same sort of care with opening
unsolicited e-mail or spam.  Since a majority of spam messages are
automatically created and addressed by scripts run on computers, do not ever
reply to spam, since this will give the spammers a valid e-mail address and
will result in much more spam.  Other considerations for e-mail have to do
with attachments and links.  Never open attachments unless they have been
scanned by an updated anti-virus package. If you have not requested a file,
be extra suspicious, since this is the most common method of spreading
computer viruses.  Unfortunately, it isn't even safe to click on links
anymore. There are several common vulnerabilities that can compromise simple
URLs.

Networks: Network security is more than just making sure that the routers
are locked down. In a global sense it means securing every node on your
network. This includes workstation security: anti-virus packages, spam
filters, software licenses, and other similar considerations.  Networks need
to have firewalls, intrusion detection systems (IDS), and other similar
systems installed. If there are outside connections that need to be
maintained, then things such as virtual private networks (VPNs), remote
access servers, wireless connectivity issues, and other similar measures
need to be taken.

Passwords: Think of your passwords as your keys. Just as you wouldn't have
the same key to open every door, whether your front door, your car door or
your safety deposit box.  Just as key and locks have evolved into
sophisticated mechanisms, your passwords need to be sophisticated as well.
Just as you take reasonable care with your keys, you need to take reasonable
care with your passwords. Just as you wouldn't think of taping the key to
your front door to the door, you should never think to write your password
down on a yellow sticky note and paste it to your monitor.  When you choose
a good strong password, choose a word that is at least eight characters
long, avoid commonly used words, purposely misspell words, use nonsensical
or made-up words, and always add numbers and special characters to your
password.  Avoid these common pitfalls: never use your Social Security
Number, the name of a loved one, your favorite sports team, favorite
hobbies, or common dictionary words. An example of a strong password could
be "~Grulp00l<."  Example of a bad or week password are "Mariners" or
"Fluffy" since these could be easily guessed since it is well know that you
hold season baseball tickets, or that your beloved pet bunny's name is
Fluffy.


Physical Security:  Physical security concerns itself with such things as
doors, locks, guards, identification badges and other similar physical
barriers.

WiFi use:  WiFi use
Short for wireless fidelity and is meant to be used generically when
referring of any type of 802.11network whether 802.11b, 802.11a, dual-band,
etc. Webopedia.com  http://www.pcwebopedia.com/TERM/W/Wi_Fi.html  Wireless
networks can be problematic for several reasons. Users have been known to
bring in wireless hubs from home and install them in the corporate setting.
Unfortunately, when this happens, the network administrators and security
personal effectively lose all control of their network, since rogue network
points are by definition uncontrollable.  If a wireless network is set up
incorrectly, it will make available the entire network to anyone passing or
driving by your site. This means that your entire network, including all the
proprietary information, such as payroll, is now visible to the world.

Cell phones: Cell phones: As cell phones become more sophisticated, they are
starting in some instances to be small computers in their own right. Some
have the capability of PDAs, while other phones are starting to integrate
digital cameras. There is some concern with these new phones that they can
be used to break the law, especially voyeurism laws. Keep in mind that these
phones can be used to take photographs of sensitive areas and documents as
well as snap pictures of happy puppies. There is some anecdotal evidence
that text messaging is being used to facilitate cheating in schools.

PDAs: Personal Digital Assistants, like cell phones, seem to be ubitqueous
these days. While they are very handy little devices, they can be used to
cause damage to a company if not properly accounted for, since they can be
used to remove restricted data from a company. If your company permits the
use of PDAs, one of the policies that covers them should include language
that restricts the PDA from being synchronized on multiple computers. If the
PDA is used for business purposes, then it should only contain business
applications and data. Additional consideration for PDAs is to be aware that
there are viruses written for specific PDA platforms. Also, PDAs have
wireless capabilities, whether they have 802.11 capabilities or infrared
beaming abilities.

Spam: unsolicited e-mail is called spam.  Since a majority of spam messages
are automatically created and addressed by scripts run on computers, do not
ever reply to spam, since this will give the spammers a valid e-mail address
and will result in much more spam.  Not only is spam annoying, but it can
clog a company's e-mails servers, and it is also a known virus injection
method.

Patch Management: Patch management is just a fancy way of saying that you
need to have to install your patches in a timely manner.  Just as new
viruses are being released, flaws are found in the software you have
installed on your computer system.  Software makers periodically release
software patches for everything ranging from operating systems to browsers
to games. It is important to install these patches when they are released to
protect your system.

DRM: Digital Rights: Digital Rights or piracy means that if you are going to
run software, you need to purchase that software.  Civil penalties for
illegal software run into the hundreds of thousands of dollars.  Criminal
penalties for illegal software include steep fines and jail time.

HIPPA:  National Standards to Protect the Privacy of Personal Health
Information http://www.hhs.gov/ocr/hipaa/  These recently enacted rules are
safeguards to protect your personal and private health information. All
healthcare providers and insurance companies are required to comply with
various safeguards and countermeasures to protect patient information.

Biometrics:Biometrics:  This group of technology solutions uses personal
characteristics to verify your identity.  It can either be based on a
physical measurement, of say your fingerprint, or a particular behavior such
as your typing pattern or the way you walk.
For more information, please see the following sites:

BioAPI Consortium http://bioapi.org/
The National Institute of Standards and Technology's (NIST) site is The
Biometrics Resourced Center Website
http://www.itl.nist.gov/div895/biometrics/



















CBT 3
Personal Security
Intelligence Gathering (Social Engineering)
Identity Theft
Clean Desk Policy
Document Disposal
Parking Lot Security
Violence in the Workplace
Reporting Security Incidents

Physical Security
Building Access
Rules for ID Badges
PC Security
Visitor Control
Emergency Alerts
Property Passes
Telephone Fraud
After Hours Access

Information Security
Password Construction and Management
Screen Savers
Internet Security
Software Piracy
Data Backup
Email Usage
Internet Usage
Viruses


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Tim Cline
Sent: Thursday, February 05, 2009 9:51 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] key topics to include in security awareness training
materials

Greetings,

I wanted to send a very general email message to start a conversation on
security awareness. For those of you who have something that you
currently use for security awareness training and dissemination of
information, whether developed in-house or third-party courseware
management platform, could you send a reply and let me know what are the
key topics that you are covering?




Regards,
Tim Cline


Tim Cline
ITS Security Analyst
ITS Security / Information Technology Services
The University of North Carolina at Chapel Hill
(919) 445-9388
Tim_Cline () unc edu